public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: disable ZLIB loading by default (due to CRIME attack)
Date: Tue, 09 Jun 2026 12:42:49 GMT [thread overview]
Message-ID: <178100896981.1.8071164091402142353.rpms-openssl-169c3a0ddb79@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 169c3a0ddb7933a77842a57afba9ff1419cce17f
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2013-02-19T16:41:14+01:00
Stats : +44/-16 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/169c3a0ddb7933a77842a57afba9ff1419cce17f?branch=rebase_40beta
Log:
disable ZLIB loading by default (due to CRIME attack)
---
diff --git a/openssl-0.9.8j-env-nozlib.patch b/openssl-0.9.8j-env-nozlib.patch
deleted file mode 100644
index 65af5a8..0000000
--- a/openssl-0.9.8j-env-nozlib.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set.
-diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c
---- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib 2009-01-05 15:43:07.000000000 +0100
-+++ openssl-0.9.8j/ssl/ssl_ciph.c 2009-01-14 17:47:46.000000000 +0100
-@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo
-
- MemCheck_off();
- ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
-- if (ssl_comp_methods != NULL)
-+ if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
- {
- comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
- if (comp != NULL)
diff --git a/openssl-1.0.1e-env-zlib.patch b/openssl-1.0.1e-env-zlib.patch
new file mode 100644
index 0000000..b702acb
--- /dev/null
+++ b/openssl-1.0.1e-env-zlib.patch
@@ -0,0 +1,38 @@
+diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
+--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2013-02-11 16:02:48.000000000 +0100
++++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-19 16:32:51.000000000 +0100
+@@ -47,6 +47,13 @@ Once the identities of the compression m
+ been standardized, the compression API will most likely be changed. Using
+ it in the current state is not recommended.
+
++It is also not recommended to use compression if data transfered contain
++untrusted parts that can be manipulated by an attacker as he could then
++get information about the encrypted data. See the CRIME attack. For
++that reason the default loading of the zlib compression method is
++disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
++is present during the library initialization.
++
+ =head1 RETURN VALUES
+
+ SSL_COMP_add_compression_method() may return the following values:
+diff -up openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib openssl-1.0.1e/ssl/ssl_ciph.c
+--- openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib 2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-02-19 16:37:36.163545085 +0100
+@@ -140,6 +140,8 @@
+ * OTHERWISE.
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <openssl/objects.h>
+ #ifndef OPENSSL_NO_COMP
+@@ -455,7 +457,7 @@ static void load_builtin_compressions(vo
+
+ MemCheck_off();
+ ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+- if (ssl_comp_methods != NULL)
++ if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
+ {
+ comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (comp != NULL)
diff --git a/openssl.spec b/openssl.spec
index 5b132f0..c281a26 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
Name: openssl
Version: 1.0.1e
# Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 1%{?dist}
+Release: 2%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -56,7 +56,7 @@ Patch36: openssl-1.0.0e-doc-noeof.patch
Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
Patch39: openssl-1.0.1c-ipv6-apps.patch
Patch40: openssl-1.0.1e-fips.patch
-Patch45: openssl-0.9.8j-env-nozlib.patch
+Patch45: openssl-1.0.1e-env-zlib.patch
Patch47: openssl-1.0.0-beta5-readme-warning.patch
Patch49: openssl-1.0.1a-algo-doc.patch
Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
@@ -159,7 +159,7 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch38 -p1 -b .op-all
%patch39 -p1 -b .ipv6-apps
%patch40 -p1 -b .fips
-%patch45 -p1 -b .env-nozlib
+%patch45 -p1 -b .env-zlib
%patch47 -p1 -b .warning
%patch49 -p1 -b .algo-doc
%patch50 -p1 -b .dtls1-abi
@@ -430,6 +430,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Tue Feb 19 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-2
+- disable ZLIB loading by default (due to CRIME attack)
+
* Tue Feb 19 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-1
- new upstream version
reply other threads:[~2026-06-09 12:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100896981.1.8071164091402142353.rpms-openssl-169c3a0ddb79@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox